SPA Talk at the Last HOPE Computer Security Conference

28 June, 2008

Next month in NYC the final Hackers On Planet Earth (HOPE)
conference will take place from July 18th through the 20th. I will be giving a
talk there entitled
"Port Knocking and Single Packet Authorization: Practical Deployments", and here is
the abstract:

Port Knocking and
its big brother, Single Packet Authorization (SPA), can provide a robust additional layer
of protection for services such as SSH, but there are many competing Port Knocking and SPA
implementations. This talk will present practical usages of fwknop in Port Knocking and SPA
modes, and discuss what works and what doesn't from a protocol perspective. Integration
points for both iptables and ipfw firewalls on Linux and FreeBSD systems will be highlighted,
and client-side support on Windows will be demonstrated. Finally, advanced functionality
such as inbound NAT support for authenticated connections, sending SPA packets over the
Tor anonymity network, and covert channel usages will be discussed. With SPA deployed,
anyone scanning for a service with Nmap cannot even tell that it is listening; let alone
target it with an exploit (zero-day or not).

A goal for the talk will be to start with the most basic port knocking deployment
(a shared sequence of only one port) and build from there into encrypted port knocking
sequences, and then move into the SPA realm with SPA packets encrypted with Rijndael
and finally with GnuPG. Along the way security tradeoffs will be discussed. For example,
a shared sequence of a single port allows an extremely simplistic port knocking
implementation (so there is less risk of a vulnerability in the port knocking software
itself), but then any casual port scan or stray packet that hits the shared port also
qualifies as a valid port knock sequence. At the high end, SPA packets encrypted with
GnuPG solve all sorts of difficulties with simple port knocking from a protocol
perspective, but there is the slight expense of a more complicated implementation
(although it is still a lot harder to target an SPA implementation with an exploit
than a complicated TCP-based service that advertises its existence to the world under
any basic port scan).